Wi-Fi® Networks at VA Hospitals: What Security is Acceptable?

In late April, U.S. Department of Veterans Affairs (VA) CIO Roger Baker told FierceGovernmentIT that only one-third of VA's large facilities currently have Wi-Fi® but that the VA plans to have enterprise-grade Wi-Fi at the remaining two-thirds of VA facilities in the next two to three years.  Six weeks later, Harris Corporation® announced that it has been awarded a two-year, $19 million contract by the VA to deploy new Wi-Fi infrastructure at all 26 VA hospitals in the U.S.

A MobiHealthNews article says that Harris will install Cisco Wi-Fi® infrastructure gear. Wayne Lucernoni, vice president and general manager of Harris’ healthcare IT business, describes it as a “very standard wireless infrastructure”.

No mention is made of whether or not the Wi-Fi infrastructure, or the client devices that connect to it, will be validated for FIPS 140-2, the U.S. federal government standard for encryption and decryption. The VA recently made news because of a complaint that it was circumventing federal rules for information security in its deployment of iPhones and up to 100,000 iPads. The Inspector General was asked to investigate the complaint and also evaluate the VA's practice of storing sensitive data without FIPS-validated hardware encryption. A federal audit found that:

• The encryption on the VA's iPhones and iPads is not validated for FIPS 140-2.
• The VA compensated by using a security application "Good" from Good Technology to encrypt data such as emails, calendars, and contact lists.
• That application is validated for FIPS 140-2.
• The use of the application was deemed to be an acceptable solution.

What security will be deemed acceptable for other client devices, including medical devices, that use Wi-Fi to connect to VA networks?